CN114365130A - Policy definition method across information models exposed through application programming interfaces - Google Patents

Policy definition method across information models exposed through application programming interfaces Download PDF

Info

Publication number
CN114365130A
CN114365130A CN202080060483.8A CN202080060483A CN114365130A CN 114365130 A CN114365130 A CN 114365130A CN 202080060483 A CN202080060483 A CN 202080060483A CN 114365130 A CN114365130 A CN 114365130A
Authority
CN
China
Prior art keywords
api
information
policy
processor
access
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202080060483.8A
Other languages
Chinese (zh)
Inventor
M·G·诺曼
D·劳伦斯
N·A·索尔特
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
JPMorgan Chase Bank NA
Original Assignee
JPMorgan Chase Bank NA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by JPMorgan Chase Bank NA filed Critical JPMorgan Chase Bank NA
Publication of CN114365130A publication Critical patent/CN114365130A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computing Systems (AREA)
  • Stored Programmes (AREA)
  • Computer And Data Communications (AREA)

Abstract

A method for defining a policy for controlling access to a system is provided. The method comprises the following steps: identifying, for each of a plurality of information classes in an information model, at least one respective information attribute; defining a respective predicate filtering function for at least one of the at least one respective information attribute; determining at least one access rule associated with the corresponding information attribute based on the defined at least one respective predicate filter function; defining a policy associated with each of the plurality of classes of information based on each of the constructed API and the determined at least one access rule; an Application Programming Interface (API) is constructed for the information model based on the defined policy. The API may be enhanced by updating parameters based on the defined policy.

Description

Policy definition method across information models exposed through application programming interfaces
Cross Reference to Related Applications
This application claims the benefit of U.S. provisional patent application serial No. 62/866,293, filed on 25/6/2019, which is incorporated herein by reference in its entirety.
Technical Field
The present technology relates generally to methods and systems for controlling information access and, more particularly, to methods and systems for augmenting application programming interface specifications with appropriate parameters to support policies for controlling functional access and data access to information resources.
Background
Access to the system is controlled by a policy. In many conventional systems, policies typically require that access decisions be managed by rules that are defined based on attributes of the respective participants, the resources to be accessed, the actions or functions to be performed, and environmental factors such as the time of day.
In the past, policies were implemented within the scope of conventional systems. However, there are drawbacks in the ability to implement policies that reference attributes in systems other than the system directly applicable to the policy. Furthermore, there is another drawback in the consistency policy of enterprises that solve access problems for multiple systems.
Therefore, there is a need to define and express policies that have a clear meaning both within an applicable system and with respect to attributes outside of the applicable system. There is also a need to support external evaluation, analysis and review in connection with such policies.
The above drawbacks have been addressed by introducing an external authorization framework, for example, embodied in eXtensible Access Control Markup Language (XACML). Here, the access request is enriched by attributes from multiple policy information points before being evaluated by the policy decision point according to the authorization policy and executed by the policy enforcement point.
Conventional external policy architectures have a drawback in one important aspect when applied to commonly used API schemas such as REST. In many cases, the API is not a request for a single resource, but rather a request for a collection of resources, and the access decision is not to determine whether the API request itself is allowed, but rather which elements of the collection are allowed to be accessed. Traditional external policy architectures handle the problem of access requests to collections by obligation-that is, access is allowed under a range of conditions that must be understood and complied with by the policy enforcement point.
The conventional approach suffers from an important aspect, as can be seen in comparing access requests to read a single resource with access requests to the same resource in the set. In the first case, access to the resource is determined within the policy enforcement point by evaluating the policy. In the second case, access to the resource is determined by the policy enforcement point evaluation obligation. Obligations and policies are the same choice but in traditional approaches they are treated as two different things, and there is no way to convert policies into obligations and vice versa.
Disclosure of Invention
The present disclosure provides, without limitation, various systems, servers, devices, methods, media, programs, and platforms for defining policies for controlling access to a system through one or more aspects, embodiments, and/or particular features or subcomponents. According to an exemplary embodiment, the method comprises: identifying, for each of a plurality of information classes within an information model, at least one respective information attribute; defining a respective predicate filtering function for at least one of the at least one respective information attribute; determining at least one access rule associated with the corresponding information attribute based on the defined at least one respective predicate filter function; defining a policy associated with each of the plurality of information classes based on each of the determined at least one access rule; and constructing an Application Programming Interface (API) for the information model based on the defined policy.
The API allows access to a set of instances of each of the plurality of classes of information. In this regard, the method may further comprise: enhancing the API with appropriate parameters for API-specific predicates that correctly support the policy; issuing at least one request through the API to access a set of instances; introducing a predicate filtering function into parameters of the API request, and then transmitting the predicate filtering function to the system; the enhanced API requests within the system are evaluated to perform policy-compliant operations.
Determining the at least one access rule comprises: combining at least two of the at least one respective predicate filtering functions into a single composite filter for the corresponding information attribute; and determining the at least one access rule based on the single composite filter.
The method may also include enhancing the first API by updating at least one filter function based on the defined policy.
The method may further comprise: intercepting a first API call to the first system related to the information model; constructing a second API call comprising the defined policy based on the intercepted first API call; and executing the second API call.
Each of the at least one respective information attribute comprises: data having a respective data type selected from a plurality of data types including a text string type, a number type, and a date type.
The at least one access rule comprises: data access rules relating to an ability of a first party to access first data from within the first system, and/or function access rules relating to an ability of the first party to perform a first operation on the first data.
Building the first API may include communicating a REST architecture using representational states, the REST architecture including a mapping between each of a plurality of elements included in the first API and at least one corresponding class of the plurality of information classes included in the information model.
The method may also include modifying at least one second API by applying the defined policy to the at least one second API for a second system associated with the information model.
The method may further comprise: receiving input from a user relating to the defined policy; adjusting the defined policy based on the received input; and modifying each of the first API and the at least one second API based on the adjusted policy.
The method may further include representing the information model as a Unified Modeling Language (UML) graph capable of being displayed on a display.
According to another exemplary embodiment, a computing device for defining a policy for controlling access to a system is provided. The computing device includes a processor, a memory, and a communication interface coupled to each of the processor and the memory. The processor is configured to: identifying, for each of a plurality of information classes in an information model, at least one respective information attribute; defining a respective predicate filtering function for at least one of the at least one respective information attribute; determining at least one access rule associated with the corresponding information attribute based on the defined at least one respective predicate filter function; defining a policy associated with each of the plurality of information classes based on each of the determined at least one access rule; and building a first Application Programming Interface (API) for a first system associated with the information model based on the defined policy.
The processor may be further configured to combine at least two of the at least one respective predicate filtering functions into a single composite filter for the corresponding information attribute; and determining the at least one access rule based on the single composite filter.
The processor may be further configured to enhance the first API by updating at least one filter function based on the defined policy.
The processor may be further configured to: intercepting a first API call to the first system related to the information model; constructing a second API call comprising the defined policy based on the intercepted first API call; and executing the second API call.
Each of the at least one respective information attribute comprises: data having a respective data type selected from a plurality of data types including a text string type, a number type, and a date type.
The at least one access rule comprises: data access rules relating to an ability of a first party to access first data from within the first system, and/or function access rules relating to an ability of the first party to perform a first operation on the first data.
The processor may be further configured to construct the first API by communicating a REST architecture using representational states, the REST architecture including a mapping between each of a plurality of elements included in the first API and at least one corresponding class of the plurality of information classes included in the information model.
The processor may be further configured to modify at least one second API for a second system associated with the information model by applying the defined policy to the at least one second API.
The processor may be further configured to: receiving input from a user via the communication interface relating to the defined policy; adjusting the defined policy based on the received input; and modifying each of the first API and the at least one second API based on the adjusted policy.
The processor may be further configured to represent the information model as a Unified Modeling Language (UML) diagram capable of being displayed on a display.
Drawings
The present disclosure will be further described in the detailed description which follows, in reference to the noted plurality of drawings by way of non-limiting examples of preferred embodiments of the present disclosure in which like reference numerals represent similar elements throughout the several views of the drawings.
FIG. 1 illustrates an exemplary computer system.
FIG. 2 illustrates an example diagram of a network environment.
FIG. 3 illustrates an exemplary system for performing a method for defining policies that control access to a system.
FIG. 4 illustrates a flow chart of an exemplary process for performing a method for defining policies for controlling access to a system.
FIG. 5 is an illustration of an information model in accordance with an example embodiment.
FIG. 6 is an illustration of an information meta-model in accordance with an example embodiment.
FIG. 7 is a table of information classes and attributes corresponding to the information model in FIG. 5, according to an example embodiment.
Detailed Description
One or more of the advantages described above and in detail below are intended to be illustrated by one or more of the various aspects, embodiments, and/or specific features or sub-assemblies of the present disclosure.
Examples may also be embodied as one or more non-transitory computer-readable media having stored thereon instructions for one or more aspects of the present technology described and illustrated herein as examples. The instructions in some examples include executable code that, when executed by one or more processors, causes the processors to perform the steps necessary to implement the example methods of the techniques described and illustrated herein.
FIG. 1 is an exemplary system for use in accordance with embodiments described herein. The system 100 is schematically illustrated and may include a computer system 102 that is generally represented.
The computer system 102 may include a set of instructions that can be executed to cause the computer system 102, alone or in combination with other described devices, to perform any one or more of the methods or computer-based functions disclosed herein. The computer system 102 may operate as a standalone device or may be connected to other systems or peripheral devices. For example, computer system 102 may include or be incorporated into any one or more computers, servers, systems, communication networks, or cloud environments. Still further, the instructions may be executable in such a cloud-based computing environment.
In a networked deployment, the computer system 102 may operate in the capacity of a server or as a client user computer in a server-user client network environment, a client user computer in a cloud computing environment, or as a peer computer system in a peer-to-peer (or distributed) network environment. Computer system 102, or portions thereof, may be implemented as or incorporated into various devices, such as a personal computer, a tablet computer, a set-top box, a personal digital assistant, a mobile device, a palmtop computer, a laptop computer, a desktop computer, a communication device, a wireless smart phone, a personal trusted device, a wearable device, a Global Positioning Satellite (GPS) device, a network device, or any other machine capable of executing a set of instructions (sequential or non-sequential) that specify actions to be taken by that machine. Further, while shown as a single computer system 102, other embodiments may include any collection of systems or subsystems that individually or collectively perform instructions or perform functions. Throughout this disclosure, the term "system" should be understood to include any collection of systems or subsystems that individually or jointly execute one or more sets of instructions to perform one or more computer functions.
As shown in FIG. 1, a computer system 102 may include at least one processor 104. The processor 104 is tangible and non-transitory. As used herein, the term "non-transitory" should not be construed as a permanent state property, but rather as a property that the state will last for a period of time. The term "non-transitory" expressly denies a characteristic of the flash, such as a characteristic of a particular carrier or signal, or other form of characteristic that exists only temporarily at any time and place. The processor 104 is an article of manufacture and/or a machine component. The processor 104 is configured to execute software instructions to perform the functions described in the various embodiments herein. The processor 104 may be a general purpose processor or may be part of an Application Specific Integrated Circuit (ASIC). The processor 104 may also be a microprocessor, microcomputer, processor chip, controller, microcontroller, Digital Signal Processor (DSP), state machine, or programmable logic device. The processor 104 may also be logic circuitry including a Programmable Gate Array (PGA) such as a Field Programmable Gate Array (FPGA), or another type of circuitry including discrete gate and/or transistor logic. The processor 104 may be a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), or both. Further, any of the processors described herein may include multiple processors, parallel processors, or both. Multiple processors may be included in or coupled to a single device or multiple devices.
The computer system 102 may also include computer memory 106. The computer memory 106 may include static memory, dynamic memory, or a combination of both. The memory described herein is a tangible storage medium that can store data and executable instructions and is non-transitory when the instructions are stored therein. Again, as used herein, the term "non-transitory" should not be construed as a permanent state property, but rather a property that the state will last for a period of time. The term "non-transitory" expressly denies a characteristic of the flash, such as a characteristic of a particular carrier or signal, or other form of characteristic that exists only temporarily at any time and place. The memory is an article of manufacture and/or a component of a machine. The memory described herein is a computer-readable medium from which a computer can read data and executable instructions. The memory described herein may be Random Access Memory (RAM), Read Only Memory (ROM), flash memory, Electrically Programmable Read Only Memory (EPROM), Electrically Erasable Programmable Read Only Memory (EEPROM), registers, hard disk, cache, a removable disk, tape, a compact disc read only memory (CD-ROM), a Digital Versatile Disc (DVD), a floppy disk, a blu-ray disc, or any other form of storage medium known in the art. The memory may be volatile or non-volatile, secure and/or encrypted, unsecure and/or unencrypted. Of course, the computer memory 106 may include any combination of memories or a single memory.
The computer system 102 may also include a display 108, such as a Liquid Crystal Display (LCD), an Organic Light Emitting Diode (OLED), a flat panel display, a solid state display, a Cathode Ray Tube (CRT), a plasma display, or any other type of display, examples of which are well known to those skilled in the art.
The computer system 102 may also include at least one input device 110, such as a keyboard, a touch-sensitive input screen or pad, a voice input, a mouse, a remote control device with a wireless keyboard, a microphone coupled to a voice recognition engine, a camera such as a video camera or a still camera, a cursor control device, a Global Positioning System (GPS) device, an altimeter, a gyroscope, an accelerometer, a proximity sensor, or any combination thereof. Those skilled in the art will appreciate that various embodiments of the computer system 102 may include multiple input devices 110. Moreover, those skilled in the art will also appreciate that the above-listed exemplary input devices 110 are not intended to be exhaustive of all examples, and that the computer system 102 may include any additional or alternative input devices 110.
The computer system 102 may also include a media reader 112 configured to read any one or more sets of instructions, such as software, from any of the memories described herein. When executed by a processor, the instructions may be used to perform one or more of the methods and processes as described herein. In particular embodiments, the instructions may reside, completely or at least partially, within the memory 106, the media reader 112, and/or the processor 104 during execution thereof by the computer system 102.
Further, the computer system 102 may include any additional devices, components, parts, peripherals, hardware, software, or any combination thereof, which are generally known and understood to be included with or within a computer system, such as, but not limited to, the network interface 114 and the output device 116. Output device 116 may be, but is not limited to, a speaker, audio output, video output, remote control output, printer, or any combination thereof.
Each component of computer system 102 may be interconnected and communicate via a bus 118 or other communication link. As shown in FIG. 1, the components may be interconnected and communicate via an internal bus. However, it will be appreciated by those skilled in the art that any of the components may also be connected by an expansion bus. Further, bus 118 may enable communication via any commonly known and understood standard or other specification, such as, but not limited to, Peripheral Component Interconnect (PCI), pcie (Peripheral Component Interconnect express), Parallel Advanced Technology Attachment (PATA), Serial Advanced Technology Attachment (SATA), and the like.
Computer system 102 may communicate with one or more additional computer devices 120 via network 122. Network 122 may be, but is not limited to, a local area network, a wide area network, the internet, a telephone network, a short-range network, or any other network generally known and understood in the art. The short-range network may include, for example, bluetooth, Zigbee, infrared, near field communication, hyper-band, or any combination thereof. Those skilled in the art will appreciate that additional networks 122, which are generally known and understood, may additionally or alternatively be used, and that exemplary network 122 is not limiting or exhaustive of all examples. Furthermore, although the network 122 is shown in fig. 1 as a wireless network, those skilled in the art will appreciate that the network 122 may also be a wired network.
Additional computer devices 120 are shown in FIG. 1 as personal computers. However, those skilled in the art will appreciate that in alternative embodiments of the present application, the computer device 120 may be a laptop computer, a tablet personal computer, a personal digital assistant, a mobile device, a palmtop computer, a desktop computer, a communications device, a wireless telephone, a personal trusted device, a network appliance, a server, or any other device capable of executing an ordered or unordered set of instructions that specify actions to be taken by that device. Of course, those skilled in the art will appreciate that the above listed devices are merely exemplary devices and that the device 120 may be any additional device or apparatus commonly known and understood in the art without departing from the scope of the present application. For example, the computer device 120 may be the same as or similar to the computer system 102. Further, those skilled in the art will similarly appreciate that the apparatus may be any combination of apparatus and devices.
Of course, those skilled in the art will appreciate that the above-listed components of computer system 102 are intended to be exemplary only and are not intended to be exhaustive and/or include all of the aspects. Moreover, the above listed examples of components are also intended to be exemplary, and similarly are not intended to be exhaustive and/or to include all.
According to various embodiments of the present disclosure, the methods described herein may be implemented using a hardware computer system executing a software program. Further, in an exemplary non-limiting embodiment, implementations can include distributed processing, component/object distributed processing, and parallel processing. Virtual computer system processing may be built to implement one or more of the methods or functions as described herein, and the processors described herein may be used to support a virtual processing environment.
As described herein, various embodiments provide a preferred method and system for defining policies that control access to a system.
Referring to FIG. 2, a schematic diagram of an exemplary network environment 200 is shown, which exemplary network environment 200 may be used to implement a method for defining policies for controlling access to a system. In an exemplary embodiment, the method may be performed on any networked Computer platform, such as a Personal Computer (PC).
The method for controlling Access to a system may be implemented by an Access Control Policy Definition (ACPD) device 202. The ACPD device 202 may be the same as or similar to the computer system 102 described in fig. 1. The ACPD device 202 may store one or more applications that may include executable instructions that, when executed by the ACPD device 202, cause the ACPD device 202 to perform actions such as sending, receiving, or otherwise processing network messages, as well as other actions described and illustrated below, for example, with reference to the figures. An application may be implemented as a module or component of another application. Further, the application may be implemented as an operating system extension, module, plug-in, and the like.
Further, the application may be run in a cloud computing environment. The application may be executed within a virtual machine or virtual server managed in the cloud computing environment, or the application may be executed as a virtual machine or virtual server managed in the cloud computing environment. Also, applications, even the ACPD device 202 itself, may be located in a virtual server running in a cloud computing environment, rather than being bound to one or more specific physical network computing devices. Further, the application may run in one or more Virtual Machines (VMs) running on the ACPD device 202. Additionally, in one or more embodiments of the present technology, the virtual machine running on the ACPD device 202 may be managed or supervised by a hypervisor.
In the network environment 200 of fig. 2, the ACPD device 202 is coupled to a plurality of server devices 204(1) -204(n) hosting a plurality of databases 206(1) -206(n), and is further coupled to a plurality of client devices 208(1) -208(n) through one or more communication networks 210. The communication interface of the ACPD device 202, such as the network interface 114 of the computer system 102 of fig. 1, is operatively coupled to and communicates between the ACPD device 202, the server devices 204(1) -204(n), and/or the client devices 208(1) -208(n), which are all coupled together via the communication network 210, although other types and/or numbers of communication networks or systems having other types and/or numbers of connections and/or configurations with other devices and/or elements may be used.
Although the ACPD device 202, the server devices 204(1) -204(n), and/or the client devices 208(1) -208(n) may be coupled together by other topologies, the communication network 210 may be the same as or similar to the network 122 as described in fig. 1. In addition, network environment 200 may include other network devices, such as one or more routers and/or switches, which are well known in the art and, therefore, are not described herein. The present technology provides a number of advantages, including a method, non-transitory computer readable medium, and ACPD apparatus that efficiently performs a method for defining a policy for controlling access to a system.
By way of example only, communication Network 210 may include a Local Area Network (LAN) or a Wide Area Network (WAN), and may use the TCP/IP protocol and industry standard protocols in the Internet, although other types and/or numbers of protocols and/or communication networks may be used. The communication network 210 in this example may employ any suitable interface mechanisms and network communication techniques, including, for example: any suitable form of telecommunications service (e.g., voice, modem, etc.), Public Switched Telephone Network (PSTN), Ethernet-based Packet Data Network (PDN), combinations thereof, or the like.
The ACPD device 202 may be a stand-alone device or may be integrated with one or more other devices or apparatuses, such as one or more of the server devices 204(1) -204 (n). In one particular example, the ACPD device 202 may comprise or be hosted by one of the server devices 204(1) -204(n), and other settings are possible. Further, one or more of the ACPD devices 202 may be in the same or different communication networks, including, for example, one or more public, private, or cloud networks.
The plurality of server devices 204(1) - (204 (n) may be the same as or similar to computer system 102 or computer device 120 described with reference to fig. 1, and include any feature or combination of features described in connection therewith. For example, any of server devices 204(1) -204(n) may include, among other features, one or more processors, a memory, and a communication interface coupled together by a bus or other communication link, although other numbers and/or types of network devices may be used. Server devices 204(1) -204(n) in this example may process requests received from ACPD device 202 via communication network 210 according to, for example, a JavaScript Object Notation (JSON) based protocol based on HTTP, although other protocols may also be used.
Server devices 204(1) -204(n) may be hardware or software, or may represent a system having multiple servers in a pool containing internal or external networks. Server devices 204(1) -204(n) host databases 206(1) -206(n) configured to store information models describing classes of information and relationships between information classes of systems and domains of data, policies, and access control rules, including data access rules related to exposing particular data types to particular entities, function access rules related to the ability to perform particular functions on particular data types, and administrative principles reflected by data access and function access rules.
Although server devices 204(1) - (204 (n) are illustrated as single devices, at least one action of each server device 204(1) - (204 (n)) may be distributed across different network computing devices that collectively comprise one or more of server devices 204(1) - (204 (n)). Further, the server devices 204(1) - (204 (n)) are not limited to a particular configuration. Thus, server devices 204(1) -204(n) may include multiple network computing devices that operate using a master/slave approach, whereby one of server devices 204(1) -204(n) operates to manage and/or otherwise coordinate the operation of the other network computing devices.
For example, server devices 204(1) -204(n) may operate as multiple network computing devices within a cluster architecture, peer-to-peer architecture, virtual machine, or cloud architecture. Thus, the techniques disclosed herein should not be construed as limited to a single environment, as other configurations and architectures are also contemplated.
The plurality of client devices 208(1) - (208 (n) may also be the same as or similar to computer system 102 or computer device 120 described with reference to fig. 1, and include any feature or combination of features described in connection therewith. For example, client devices 208(1) - (208 (n) in this example may comprise any type of computing device capable of interacting with ACPD device 202 via communication network 210. Thus, client devices 208(1) -208(n) may be, for example, mobile computing devices, desktop computing devices, laptop computing devices, tablet computing devices, virtual machines (including cloud-based computers), etc., that support chat, email, or text-to-speech applications. In an exemplary embodiment, at least one client device 208 is a wireless mobile communication device, i.e., a smart phone.
The client devices 208(1) - (208 n) may run interface applications, such as a standard web browser or stand-alone client application, which may provide an interface to communicate with the ACPD device 202 over the communication network 210 to transfer user requests and information. Client devices 208(1) -208(n) may further include, among other features, a display device, such as a display screen or touch screen, and/or an input device, such as a keyboard.
Although the exemplary network environment 200 is described and illustrated herein with ACPD device 202, server devices 204(1) -204(n), client devices 208(1) -208(n), and communication network 210, other types and/or numbers of systems, devices, components, and/or elements in other topologies may be used. It should be understood that the system described in the embodiments herein is for exemplary purposes, as numerous variations of the specific hardware and software used to implement the embodiments are possible, as will be appreciated by those skilled in the relevant art(s).
One or more devices depicted in network environment 200, such as ACPD device 202, server devices 204(1) -204(n), or client devices 208(1) -208(n), for example, may be configured to run as virtual instances on the same physical machine. In other words, one or more of the ACPD device 202, the server devices 204(1) -204(n), or the client devices 208(1) -208(n) may run on the same physical device rather than as separate devices communicating over the communication network 210. Additionally, there may be more or fewer ACPD devices 202, server devices 204(1) -204(n), or client devices 208(1) -208(n) than shown in FIG. 2.
In addition, in any example, two or more computing systems or devices may be used in place of any one system or device. Accordingly, principles and advantages of distributed processing, such as redundancy and replication, may also be implemented as desired to increase the robustness and performance of the devices and systems of the examples. These examples may also be implemented on a computer system that spans any suitable network using any suitable interface mechanisms and traffic technologies, including, for example, any suitable form of telecommunications traffic (e.g., voice and modems), wireless traffic networks, cellular traffic networks, Packet Data Networks (PDNs), the internet, intranets, and combinations thereof.
For example, the ACPD device 202 is depicted and illustrated in fig. 3 as including an access control policy definition module 302, although it may include other rules, policies, modules, databases, or applications, for example. The access control policy definition module 302 is configured to implement a method for defining policies that control access to a system in an automatic, efficient, extensible, and reliable manner, as described below.
An exemplary flow 300 for implementing a mechanism for defining a policy for controlling access to a system by utilizing the network environment of fig. 2 is illustrated as being performed in fig. 3. Specifically, a first client device 208(1) and a second client device 208(2) are illustrated as being in communication with the ACPD device 202. Based on this, the first client device 208(1) and the second client device 208(2) may be "clients" of the ACPD device 202 and are described as such herein. However, it is to be appreciated and understood that the first client device 208(1) and/or the second client device 208(2) do not necessarily have to be "clients" of the ACPD device 202, or any entity described herein in connection therewith. Any additional or alternative relationship may exist, or no relationship may exist, between one or both of the first client device 208(1) and the second client device 208(2) and the ACPD device 202.
Further, the ACPD device 202 is illustrated as having access to an information model repository 206(1) and a policy and access control rules database 206 (2). The access control policy definition module 302 may be configured to access these databases to implement methods for defining policies that control access to the system.
First client device 208(1) may be, for example, a smartphone. Of course, first client device 208(1) may be any additional device described herein. The second client device 208(2) may be, for example, a Personal Computer (PC). Of course, second client device 208(2) may also be any additional device described herein.
The process may be performed by a communication network 210, where the communication network 210 may include multiple networks as described above. For example, in an exemplary embodiment, one or both of the first client device 208(1) and the second client device 208(2) may communicate with the ACPD device 202 via broadband or cellular communications. Of course, these embodiments are merely exemplary, and are not limiting or exhaustive.
Upon being initiated, the access control policy definition module 302 performs a process for defining a policy for controlling access to the system. An exemplary process for defining policies for controlling access to a system is generally illustrated in the flow diagram 400 of FIG. 4.
In process 400 of FIG. 4, in step S402, attributes of a plurality of information classes in an information model are identified for a system. In an exemplary embodiment, the information model is represented in a variant of the Unified Modeling Language (UML), and classes represent key concepts within the domain of the system. Each class includes one or more properties that are original information elements, are of a particular type, such as a text string, a numeric type, or a date type, and may be null. In an exemplary embodiment, each class includes an attribute of a type string, which is a Globally Unique IDentifier (GUID) whose value is Unique to the instance of the class. The information model may be illustrated as a directed graph of classes including arcs, such that each respective arc traverses from a parent class to a child class. In this regard, each child class belongs to a parent class, and each parent class may have more than one child class. There is no requirement that the graphics of a class be connected. Furthermore, one parent class may be the same as one child class, allowing representation of instances with a hierarchical structure. In an exemplary embodiment, if there is a many-to-many relationship between the first class and the second class, then there needs to be a third class that is an explicit intermediate class, and there are two arcs, so that there are many third classes for the first class and many third classes for the second class.
Referring to fig. 5, an example of a UML diagram of an information model is shown. In the example of fig. 5, the information model is based on a hotel reservation system, and the model includes four classes: "country", "hotel", "booking", "employee". As shown in FIG. 5, the reservations are a subclass of the parent class of hotels; in contrast, hotels have many reservations. Likewise, employees are a subclass of the parent class of hotels, whereas hotels have many employees. Hotels are a subclass of parent countries, whereas countries have many hotels. Further, each class contains one or more characteristics: the country has a "name" property, which is a text string type; hotels also have a "name" feature, also of the text string type; employees also have a "name" feature, also of the text string type; and the subscription has three characteristics, namely 'id', indicating an identification number, which is of a numeric type; "startDate" and "endDate" both of the date type.
Referring also to FIG. 6, a diagram of an information meta-model is shown in which an information model such as that shown in FIG. 5 may be described. In the information meta-model of FIG. 6, the classes in FIG. 5 are shown as belonging to a domain that represents a bounded set of classes for which policy definitions are to be made. For example, for the information model in fig. 5, a "domain" may be designated as a "hotel booking" domain. Attributes are illustrated as belonging to classes, in which respect each attribute belongs to a class, and there may be multiple attributes per class. With continued reference to FIG. 7, to construct the example meta-model of FIG. 6 using the information model of FIG. 5, properties of each class are recorded or listed as attributes according to the relationship of the corresponding property to the class. For example, for class hotel, there are two characteristics directly related to the class, which can be displayed as attributes "hotel.name" and "hotel.id", and three other classes have 7 characteristics indirectly associated with the class "hotel", including "hotel.Country.name", "Hotel.Country.id", "Hotel.employee.name", "Hotel.employee.id", "Hotel.reservation.id", "Hotel.reservation.start time", and "Hotel.reservation.end time".
With continued reference to FIG. 4, in step S404, a set of predicate filtering functions are defined for the attributes of the plurality of classes identified in step S402. Still referring to FIG. 6, the meta-model also includes a set of simple predicates that define a plurality of functional relationships for selecting instances of classes in the information model, where operands, scalars, and operators are elements used to build the simple predicates. For example, a simple predicate may be an expression of a hotel booking starting on a specified date, such as 1 month 1 day 2018. In this example, the simple predicate may be expressed as follows:
“Bookings.startDate=01/01/2018”
in this example, the operand is the attribute "bookings. startdate", the scalar "1/1/18" stands for date 1 month 1 day 2018, and the operator is the equal sign "═ h".
As another example, to construct a simple predicate to select a hotel booking for a hotel located in the united states or UK, the simple predicate may include as operands the attribute "books.
Referring again to FIG. 6, the composite predicate may be generated by connecting (i.e., "AND" operations) AND disconnecting (i.e., "OR") operations on the simple predicates. In addition to the above example, a simple predicate representing a hotel reservation starting at 1/2018 may be combined with a simple predicate representing a hotel reservation for a hotel in the United states or British to form a composite predicate that selects all reservations in the United states or British starting at 1/2018 as follows:
Bookings.Hotel.Country.name in[“USA”,“UK”]AND Bookings.startDate=“1/1/2018”
in this way, simple predicates can be combined into composite predicates, which can effectively define filters for selecting information as a function of multiple attributes.
Referring again to fig. 4, in step S406, a set of access rules is determined based on the filter function defined in step S404. Access rules specify conditions under which a particular person or entity is allowed to access particular information. For example, an access rule may specify conditions that allow a particular employee or group of employees to access certain hotel reservation information. These access rules may include data access rules related to the ability to view a particular data type and function access rules related to the ability to perform functions/operations on a particular data type.
Then, in step S408, a policy is defined for each class based on the access rule determined in step S408. For example, these access rules may define a first policy according to which an employee is allowed to view all reservations of the country in which he works; according to a second policy, the employee is allowed to update all reservations for the hotel in which he works. In this regard, the access rules are determined by a filter function, each policy being derived by using the filter function.
In step S410, an Application Programming Interface (API) is constructed for the information model based on the above classes and attributes. In exemplary embodiments, the API is constructed using a Representational State Transfer (REST) framework for which there is a well-defined mapping between the resources contained by the API and instances of classes contained by the retrieve and/or update information model; however, the present disclosure is not so limited, and the API can be constructed using other types of REST architectures and/or other types of architectures.
In an exemplary embodiment, the API has a URL where < prefix > is the uniform resource locator of the entire information model.
Prefix/requestclass-set of instances of addressing class < requestclass >
prefix/requestedClass/id-addressing a single instance of class < requestedClass > identified as < id >
Prefix/requestdclass/id/association-addressing entity set linked by an association < association > to an instance of class < requestdclass > identified as < id >, each URL allowing the following HTTP verb:
GET (READ) and DELETE (DELETE) on singleton URLs
GET (read) and POST (create) on the Collection URL
The REST API serializes the objects into JavaScript object notation (JSON). The API user has a mechanism to determine the type of properties and whether they are associated. The properties of the base type are directly serialized into JSON. The associated properties are serialized into strings that represent the endpoints of the API. In the case of a requestclass belonging to a parentlclass, in the serialization of the requestclass id, the associated property is serialized as "prefix/parentlclass/associatedId" or null, where associatedId is the identification of the associated instance (if any) in the parentlclass. In the case of a requestclass with many childclasses, the associated property is denoted "prefix/requestclass/id/association".
These representations are used to interact with the system for reading and writing. Thus, by performing an HTTP GET over the URL "prefix/Booking", the set of reservations can be retrieved in the form of a JSON string representation, and by creating a JSON representation of the hotel, the hotel identified as 12345 can be created.
The REST API is enhanced with a filtering parameter in the form of a filter-predicate, where the predicate can be any of those detailed above, and the API call will retrieve (or modify) a data element if and only if the data element matches the predicate. Thus, the API allows retrieving all subscriptions in the us or UK starting from 1/2018 by performing HTTP GET on the URL prefix/Bookingfilter.
The filtering function determined by the predicate set effectively constrains access in the information model according to the attributes of the information model and the instances involved in the predicate set. This predicate syntax is also used to define the policy. In this manner, the API provides an information access control mechanism that reflects the policies defined by the filter function.
In an exemplary embodiment, the user may thus make an API call to request access to data within the information model, and the ACPD device may intercept the API call and introduce the policy to generate another correctly formatted API call that causes the system to respond in a manner that conforms to the policy. For example, a user may perform an HTTP GET on urlprevix/booting, AND the ACPD device may convert the request to an API call prefix/booting filter [ "home.
According to one or more exemplary embodiments, the API supports and controls access to information processed by the model. In addition, since the policy is defined according to information class and attribute, the policy can be applied to a plurality of systems in a manner decoupled from the API of a specific system. Thus, a composite policy may be generated that is transparent and persistent to the enterprise. In this regard, by defining a policy as an expression based on an information model, the same policy can be projected onto multiple APIs as long as the policy is based on the same underlying information class.
In accordance with one or more exemplary embodiments, the method of defining policies for controlling access to information resources provides an advantage of being able to reason about policy coverage, integrity and correctness of a set of associated APIs. Furthermore, the ability to associate policy definitions with an API effectively decouples policy storage, retrieval, and policy evaluation. For example, an external policy enforcement point may receive an API request from a user, introduce a policy, and then pass the policy on to the target system. As a result, policy decisions can be made by the target system without requiring an internal persistent policy. This may be particularly useful when evaluating a policy externally against the API resources of a set of retrieval instances, because each resource in the set need not be retrieved before applying a newly introduced policy, but rather the policy may be provided as an expression through the API for the system to resolve on its own.
In an exemplary embodiment, since the simple predicate in the policy has a good form relative to the information model, the simple predicate may be replaced with a specific set of values in the information model. Thus, a policy can be partially evaluated for multiple systems and the resulting value set replaced before the policy is introduced to the active system for final decision making. Thus, incremental evaluation can be performed on an enterprise-wide policy without requiring a centralized policy decision engine to access all relevant attributes.
In contrast, in some cases, the API may provide a filtering predicate for evaluation, rather than a result set. Thus, constraints that may be relevant to subsequent requests may be expressed. In particular, such constraints can be incorporated into the user interface to eliminate false selections in a drop down list included with the user interface.
Thus, an optimization process for defining policies that control access to the system is provided using this technique.
While the present invention has been described with reference to several exemplary embodiments, it is understood that the words which have been used are words of description and illustration, rather than words of limitation. Modifications may be made within the scope of the appended claims as presently stated and as amended, without departing from the scope and spirit of the present disclosure in its aspects. Although the invention has been described with reference to particular means, materials and embodiments, the invention is not intended to be limited to the particulars disclosed; rather, the invention extends to all functionally equivalent structures, methods and uses, such as are within the scope of the appended claims.
For example, while the computer-readable medium may be described as a single medium, the term "computer-readable medium" includes a single medium or multiple media, such as a centralized or distributed database, and/or associated caches and servers that store the one or more sets of instructions. The term "computer-readable medium" shall also be taken to include any medium that is capable of storing, encoding or carrying a set of instructions for execution by a processor or that cause a computer system to perform any one or more of the embodiments disclosed herein.
The computer-readable medium may include one or more non-transitory computer-readable media and/or include one or more transitory computer-readable media. In a specific non-limiting exemplary embodiment, the computer-readable medium can include a solid-state memory, such as a memory card or other package that houses one or more non-volatile read-only memories. Further, the computer readable medium may be a random access memory or other volatile rewritable memory. In addition, a computer-readable medium may include a magneto-optical or optical medium, such as a magnetic disk or tape, or other storage device to capture a carrier wave signal, such as a signal transmitted over a transmission medium. Accordingly, the disclosure is considered to include any computer-readable medium or other equivalent and successor media, in which data or instructions may be stored.
Although the present application describes particular embodiments as a computer program or code segments in a computer readable medium, it should be understood that dedicated hardware implementations, such as application specific integrated circuits, programmable logic arrays and other hardware devices, can be constructed to implement one or more of the embodiments described herein. Applications that include the various embodiments set forth herein may broadly include a variety of electronic and computer systems. Accordingly, this application may cover software, firmware, and hardware implementations, or a combination thereof. Nothing in this application should be construed as being or capable of being implemented in software rather than hardware.
Although this specification describes components and functions that may be implemented in particular embodiments with reference to particular standards and protocols, the present disclosure is not limited to such standards and protocols. Such standards are periodically superseded by faster or more effective equivalents having essentially the same function. Accordingly, replacement standards and protocols having the same or similar functions are considered equivalents thereof.
The illustrations of the embodiments described herein are intended to provide a general understanding of the various embodiments. The illustrations are not intended to serve as a complete description of all of the elements and features of apparatus and systems that utilize the structures or methods described herein. Many other embodiments may be apparent to those of skill in the art upon reading this disclosure. Other embodiments may be utilized or derived from the disclosure, such that structural and logical substitutions and changes may be made without departing from the scope of the disclosure. Further, the illustrations are merely representational and may not be drawn to scale. Some proportions within the illustrations may be exaggerated, while other proportions may be minimized. The present disclosure and figures are, therefore, to be regarded as illustrative rather than restrictive.
One or more embodiments of the present disclosure may be referred to herein, individually and/or collectively, by the term "invention" merely for convenience and without intending to voluntarily limit the scope of this application to any particular invention or inventive concept. Moreover, although specific embodiments have been illustrated and described herein, it should be appreciated that any subsequent arrangement designed to achieve the same or similar purpose may be substituted for the specific embodiments shown. This disclosure is intended to cover any and all subsequent adaptations or variations of various embodiments. Combinations of the above embodiments, and other embodiments not specifically described herein, will be apparent to those of skill in the art upon reviewing the description.
The Abstract of the disclosure is submitted with the understanding that it will not be used to interpret or limit the scope or meaning of the claims. Furthermore, in the foregoing detailed description, various features may be grouped together or described in a single embodiment for the purpose of streamlining the disclosure. This disclosure is not to be interpreted as reflecting an intention that the claimed embodiments require more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive subject matter may be directed to less than all of the features of any of the disclosed embodiments. Thus, the following claims are hereby incorporated into the detailed description, with each claim standing on its own as defining separately claimed subject matter.
The above-disclosed subject matter is to be considered illustrative, and not restrictive, and the appended claims are intended to cover all such modifications, enhancements, and other embodiments, which fall within the true spirit and scope of the present disclosure. Thus, to the maximum extent allowed by law, the scope of the present disclosure is to be determined by the broadest permissible interpretation of the following claims and their equivalents, and shall not be restricted or limited by the foregoing detailed description.

Claims (20)

1. A method for defining policies for controlling access to a system, the method being performed by at least one processor, the method comprising:
identifying, by the at least one processor, for each of a plurality of classes of information within an information model, at least one respective information attribute;
defining, by the at least one processor, a respective predicate filtering function for at least one of the at least one respective information attribute;
determining, by the at least one processor, at least one access rule associated with the corresponding information attribute based on the defined at least one respective predicate filtering function;
defining, by the at least one processor, a policy associated with each of the plurality of information classes based on each of the determined at least one access rule; and
constructing, by the at least one processor, a first Application Programming Interface (API) for a first system associated with the information model based on the defined policy.
2. The method of claim 1, wherein determining the at least one access rule comprises:
combining at least two of the at least one respective predicate filtering functions into a single composite filter for the corresponding information attribute; and
determining the at least one access rule based on the single composite filter.
3. The method of claim 1, wherein the method further comprises:
enhancing the first API by updating at least one filter function based on the defined policy.
4. The method of claim 1, wherein the method further comprises:
intercepting a first API call to the first system related to the information model;
constructing a second API call comprising the defined policy based on the intercepted first API call; and
and executing the second API call.
5. The method of claim 1, wherein each of the at least one respective information attribute comprises: data having a respective data type selected from a plurality of data types including a text string type, a number type, and a date type.
6. The method of claim 1, wherein the at least one access rule comprises: data access rules relating to an ability of a first party to access first data from within the first system, and/or function access rules relating to an ability of the first party to perform a first operation on the first data.
7. The method of claim 1, wherein constructing the first API comprises:
communicating a REST fabric using a representational state, the REST fabric including a mapping between each of a plurality of elements included in the first API and at least one corresponding class of the plurality of information classes included in the information model.
8. The method of claim 1, further comprising:
modifying at least one second API by applying the defined policy to the at least one second API for a second system associated with the information model.
9. The method of claim 8, further comprising:
receiving input from a user relating to the defined policy;
adjusting the defined policy based on the received input; and
modifying each of the first API and the at least one second API based on the adjusted policy.
10. The method of claim 1, further comprising:
the information model is represented as a unified modeling language, UML, graph that can be displayed on a display.
11. A computing device for defining a policy for controlling access to a system, the computing device comprising:
a processor;
a memory; and
a communication interface coupled to each of the processor and the memory,
wherein the processor is configured to:
identifying, for each of a plurality of information classes in an information model, at least one respective information attribute;
defining a respective predicate filtering function for at least one of the at least one respective information attribute;
determining at least one access rule associated with the corresponding information attribute based on the defined at least one respective predicate filter function;
defining a policy associated with each of the plurality of information classes based on each of the determined at least one access rule; and
based on the defined policy, a first Application Programming Interface (API) is constructed for a first system associated with the information model.
12. The computing device of claim 11, wherein the processor is further configured to:
combining at least two of the at least one respective predicate filtering functions into a single composite filter for the corresponding information attribute; and
determining the at least one access rule based on the single composite filter.
13. The computing device of claim 11, wherein the processor is further configured to:
enhancing the first API by updating at least one filter function based on the defined policy.
14. The computing device of claim 11, wherein the processor is further configured to:
intercepting a first API call to the first system related to the information model;
constructing a second API call comprising the defined policy based on the intercepted first API call; and
and executing the second API call.
15. The computing device of claim 11, wherein each of the at least one respective information attribute comprises: data having a respective data type selected from a plurality of data types including a text string type, a number type, and a date type.
16. The computing device of claim 11, wherein the at least one access rule comprises: data access rules relating to an ability of a first party to access first data from within the first system, and/or function access rules relating to an ability of the first party to perform a first operation on the first data.
17. The computing device of claim 11, wherein the processor is further configured to:
constructing the first API by communicating a REST framework with representational states, the REST framework including a mapping between each of a plurality of elements included in the first API and at least one corresponding class of the plurality of information classes included in the information model.
18. The computing device of claim 11, wherein the processor is further configured to:
modifying at least one second API by applying the defined policy to the at least one second API for a second system associated with the information model.
19. The computing device of claim 18, wherein the processor is further configured to:
receiving input from a user via the communication interface relating to the defined policy;
adjusting the defined policy based on the received input; and
modifying each of the first API and the at least one second API based on the adjusted policy.
20. The computing device of claim 11, wherein the processor is further configured to:
the information model is represented as a unified modeling language, UML, graph that can be displayed on a display.
CN202080060483.8A 2019-06-25 2020-06-24 Policy definition method across information models exposed through application programming interfaces Pending CN114365130A (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US201962866293P 2019-06-25 2019-06-25
US62/866,293 2019-06-25
PCT/US2020/039343 WO2020263965A1 (en) 2019-06-25 2020-06-24 Method for defining policy across information model exposed via an application programming interface

Publications (1)

Publication Number Publication Date
CN114365130A true CN114365130A (en) 2022-04-15

Family

ID=74043235

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202080060483.8A Pending CN114365130A (en) 2019-06-25 2020-06-24 Policy definition method across information models exposed through application programming interfaces

Country Status (4)

Country Link
US (1) US11501011B2 (en)
EP (1) EP3991065A4 (en)
CN (1) CN114365130A (en)
WO (1) WO2020263965A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220014545A1 (en) * 2020-07-09 2022-01-13 Jpmorgan Chase Bank, N.A. Systems and methods for automated cyber security and control monitoring

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6804686B1 (en) 2002-04-29 2004-10-12 Borland Software Corporation System and methodology for providing fixed UML layout for an object oriented class browser
US7921452B2 (en) * 2005-08-23 2011-04-05 The Boeing Company Defining consistent access control policies
US8516538B2 (en) 2007-02-01 2013-08-20 Frequentz Llc Providing security for queries to electronic product code information services
US9430552B2 (en) * 2007-03-16 2016-08-30 Microsoft Technology Licensing, Llc View maintenance rules for an update pipeline of an object-relational mapping (ORM) platform
US8255410B2 (en) 2008-12-09 2012-08-28 Microsoft Corporation Translating queries to representational state transfer (REST)
EP2521066A1 (en) * 2011-05-05 2012-11-07 Axiomatics AB Fine-grained relational database access-control policy enforcement using reverse queries
EP3475888A1 (en) * 2016-08-22 2019-05-01 Oracle International Corporation System and method for ontology induction through statistical profiling and reference schema matching
US10834137B2 (en) * 2017-09-28 2020-11-10 Oracle International Corporation Rest-based declarative policy management

Also Published As

Publication number Publication date
US11501011B2 (en) 2022-11-15
EP3991065A4 (en) 2023-01-25
EP3991065A1 (en) 2022-05-04
WO2020263965A1 (en) 2020-12-30
US20200410125A1 (en) 2020-12-31

Similar Documents

Publication Publication Date Title
US11615151B2 (en) Query language for selecting object graphs from application metadata
US11875400B2 (en) Systems, methods, and apparatuses for dynamically assigning nodes to a group within blockchains based on transaction type and node intelligence using distributed ledger technology (DLT)
JP7451565B2 (en) A system or method for enforcing the right to be forgotten on a metadata-driven blockchain using a shared secret and read agreement
US10050991B2 (en) System and method for monitoring network vulnerabilities
US11521137B2 (en) Deployment of self-contained decision logic
US9418176B2 (en) Graph-based system and method of information storage and retrieval
US10110447B2 (en) Enhanced rest services with custom data
JP2019535065A (en) Data serialization in distributed event processing systems
US10757064B2 (en) Communication interface for handling multiple operations
CN115335827A (en) Method and apparatus for implementing role-based access control clustering machine learning model execution module
US10503567B2 (en) Flexible event ingestion framework in an event processing system
US11580250B2 (en) Efficient traversal of hierarchical datasets
US11334601B2 (en) Unified data model
US20220398236A1 (en) System and method for implementing a contract data management module
CN114365130A (en) Policy definition method across information models exposed through application programming interfaces
US11803528B2 (en) Method and apparatus for generating data structure describing how taxonomies evolve and usage algorithm thereof
US20140195908A1 (en) Uniform value help and value check
US20210034347A1 (en) Automated deployment of software components
US20220138644A1 (en) System and method for leveraging a completeness graph
US20240176769A1 (en) Consolidating change requests in data hierarchies
US20210286475A1 (en) Method and system for generating a user interface for managing a data set
CN115004149A (en) Method and system for controlling access to data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination